Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
ACC97: Understanding the Role of Workgroup Information Files in Access Security
Article ID: 303941 - View products that this article applies to.
This article was previously published under Q303941
Moderate: Requires basic macro, coding, and interoperability skills.
This article applies only to a Microsoft Access database (.mdb).
This article explains the role and relationship of the workgroup information file (MDW) in Microsoft Access security.
When you install Microsoft Access and open a database for the first time, a new file named System.mdw is created in the Windows\System folder. This file is the default workgroup information file.
The workgroup information file is a required component when you use a Microsoft Access database (MDB). This file is required for both a run-time installation and a full installation of Microsoft Access. This file is an important component of Microsoft Access security.
If you develop database applications, it is important that you have a good understanding of the workgroup information file. It is a good idea to reserve the last phase of the development process for applying security in Access. Until then, you can develop the database application in an unsecured database.
IMPORTANT: If you establish Access security in a database, Microsoft recommends that you have a backup or copy of the workgroup information file in a safe location. If the file is lost or damaged or otherwise becomes useless, the only way to recover the file quickly is to have a copy of the file. Otherwise, the database administrator would have to try to re-create the User Accounts exactly as they were initially. This is a risky situation. If the workgroup information file is not created exactly as the original, the file will not work with the database. This will prevent the successful use of the database for its designed purpose. In most cases, a current backup of the database file is the only sure way to recover the file.
Access uses the workgroup information file even when the database has not been secured. The file uses the default Admin user account. The Admin user account does not have a password at that point, and therefore it does not trigger a logon prompt.
For additional information about securing a Microsoft Access database, click the article number below to view the article in the Microsoft Knowledge Base:
132143Access security is based on a hierarchy of Groups, Users and Database objects (forms, reports, queries, and so on).
(http://support.microsoft.com/kb/132143/EN-US/ )ACC: Overview of How to Secure a Microsoft Access Database
Groups and UsersGroups are collections of users who typically, but not always, have the same "role" and reason for working in the database. Some users will have more latitude and some will have less latitude in the database. To administer users of varying scope, Microsoft recommends that they be placed into separate groups based on their needs.
Users are individuals who will actually use either all or part of the database. A User can belong to more than one group. In Access security, one key concept to remember is this. If any user is a member of two or more Groups in the database and security has been established on the groups, that user will have the most liberal permissions between or among all the groups they are a member of.
The workgroup information file is used to store the User and Group information. Each user account is created with a user logon, a password, and a Personal ID. Each Group is created with a group name and Workgroup ID. That information is stored in the workgroup information file.
If the database administrator creates groups to cluster users who work in the same capacity, it is far easier to assign permissions at the group level than to try to administer individual user accounts that have the exact same set of permissions over the whole company. If the permissions are assigned to the group, they will extend to each member of that group. Therefore, the database administrator can easily set up a new user account, assign them to the proper group, and that user is ready to proceed immediately. The group permissions will govern their activities automatically.
Database ObjectsAll Database Objects have an Owner and a series of permissions that must be determined at the Group or individual User level.
PermissionsWith permissions, the user can open objects and modify objects or the data retained by the objects. With the correct set of permissions, any user belonging to a group can perform tasks without hindrance and without compromising the security of the application or the underlying data. NOTE: It is not a good idea to allow users to make design changes in a production database. Microsoft recommends that design changes are made only to the developer's copy of the database.
Permissions and the Ownership of database objects are stored in the database file itself. Because permissions and ownership properties always refer to specific user and group accounts that are stored in the MDW file used to secure it, a secured application must always be opened by using the specific workgroup information file it was secured with.
One exception to this involves the default Admin user. The Admin user is the same across all workgroups and cannot be deleted. This design is what enables moving an unsecured Access file from one computer to another without having to also move the MDW file from the computer that was used to create the database. Because of this, a user could create and join a different workgroup information file, log on as the same Admin user without a password, and then be able to open your "secured" file with any permissions that were granted to the Admin user. Therefore, a properly secured database will have all permissions for the Admin user removed so that this cannot occur.
It is also possible to use multiple workgroup information files on the same compuer. This often occurs if one database is secured but others are not. Or, each database may each have its own separate security scheme for various reasons. After an Access application has been properly secured, the MDW file used while setting up the security is the only workgroup information file the database will work with. It can be copied to each local workstation or shared across a network.
Workgroup File AdministrationThe developer or application administrator can create additional workgroup information files using Wrkgadm.exe. This utility can be found in the following folder:
C:\Windows\SystemThis Workgroup Administrator is designed to create or join workgroup information files. Joining a specific MDW file using Workgroup Administrator makes that file the default when Microsoft Access is started by one of the following methods:
For example, to start an Access Database named MyApp located in a folder named MyAppFolder using the workgroup information file that was used to establish security on this application database, the command line syntax must use the /WrkGrp command-line switch and would look similar to the following example:
"C:\Program Files\Microsoft Office\Office\MSAccess.Exe" "C:\MyAppFolder\MyApp.MDB" /wrkgrp "C:\MyAppFolder\System.MDW"For additional information about Command-Line Options, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/105128/EN-US/ )ACC: How to Use Command-Line Switches in Microsoft Access
Workgroup Information File NameYou can also give the workgroup information file a different name than the default name of System.mdw. Often, the workgroup information file is given the same name as the database it is securing. This helps identify it quickly from other MDW files, and associates it with the correct database file.
Another method for managing multiple workgroup information files is to place a copy of the correct workgroup information file in the same folder as the database it is associated with.
Additional or new copies of the System.mdw file can be created to use with your specific databases. If you accidentally "secure" the default copy of System.mdw, you can create a new System.mdw file in the default path. To create a new workgroup information file, follow these steps:
Run-Time Access DatabasesIf you are using Microsoft Office 97 Developer Edition, you must include the specific secured workgroup information file for any secured database that you are distributing.
If you are not distributing a Microsoft Access database with security, then you do not have to include the workgroup information file.
For additional information about Microsoft Access security, see the "Frequently Asked Questions About Microsoft Access Security for Microsoft Access versions 2.0 Through 2000" white paper at the following Microsoft Web site:
Frequently Asked Questions About Microsoft Access Security for Microsoft Access versions 2.0 Through 2000You can also download this white paper from the Microsoft Download Center at the following Microsoft Web site:
For more information about command-line options, click Microsoft Access Help on the Help menu, type startup command-line options in the Office Assistant or the Answer Wizard, and then click Search to view the topics returned.
Collapse this imageExpand this image
Article ID: 303941 - Last Review: January 31, 2007 - Revision: 3.3